Posted
by
Soulskill
on Tuesday April 10, 2012 @12:48PM
from the doesn't-play-well-with-others dept.

Sparrowvsrevolution writes "Now that it's being increasingly targeted by botnet herders, Apple has a thing or two to learn about cooperating with friendly security researchers. Boris Sharov, the CEO of Dr. Web, the Russian security company that first reported more than half a million Macs were infected with Flashback malware last week, says when his company alerted Apple to the botnet, it never responded to him. Worse yet, on Monday Apple asked a Russian registrar to take down a domain it said was being used to host a command and control server for Flashback, but in fact was a 'sinkhole' that Dr. Web had set up to observe and analyze the botnet. Sharov describes the lack of communication and cooperation as a symptom of a company that has never before had to work closely with the security industry. 'For Microsoft, we have all the security response team's addresses,' he says. 'We don't know the antivirus group inside Apple.'"

And yes, "viruses" are not the only kind of malware out there- most people on/. know that. But no one else in my family does, and neither do the vast majority of people those two examples target for marketing. Apple's claim that Mac's don't get "viruses", in my mom's mind, equate to "Apple's don't have malware".

Well in all "honesty" apple's own webpage says "it doesn't get PC viruses". Technically, it doesn't; it gets Mac malware. But I know, it isn't honest, hence my first quotes, and to most people that does mean that "it doesn't get anything bad, unlike that stupid windows thingy".

The AV software for Apple is the same as it was for Unix and Linux. It was not that PC viruses could infect *nix. Microsoft, Norton, and McCaffee, were using propaganda marketing telling people that *nix file servers could not clean up viruses like a NT file server could and were dangerous since they could house viruses causing Windows to become infected. Since most VPs are dumb enough not to understand the unimportance of that marketing ploy, a lot of AV products sprung up for *nix and iOS.

Many of the vendors still produce AV software for OSes that don't really need it for that reason. I'll bet you can still find iOS AV software for a fee, the PT Barnum theory works as well today as it did when he was alive.

Well in all "honesty" apple's own webpage says "it doesn't get PC viruses". Technically, it doesn't.

Technically, it does. PC stands for Personal Computer, not Windows machine. Macs, just like Linux and Windows boxes are PCs. Since Apple are trying to use pedantry to obfuscate, holding them to definition of a PC is only fair, which puts them squarely back in the realm of lying.

"The App Store revolutionized mobile apps. We hope to do the same for PC apps with the Mac App Store by making finding and buying PC apps easy and fun. We can’t wait to get started on January 6."--Steve Jobs

If you want to be picky then Bootcamp is an official Apple product that allows you to run Windows, and by extension Windows viruses. It can also run Linux, and by extension the tiny number of mostly proof-of-concept Linux viruses.

Actually you can run various vulnerable software directly on MacOS, such as older versions of Safari or Apache.

Apple claimed there were no viruses. There are viruses. You are dancing on the head of a pin.

No, Macs do not get viruses. This type of malware is not a virus; it does not infect, does not travel from mac to mac, and does not install without permission. The malware is installed precisely because someone gives it permission. You can't stop people from installing malware - it's just human nature. If this is a virus, than so is Facebook.

Well in all "honesty" apple's own webpage says "it doesn't get PC viruses". Technically, it doesn't; it gets Mac malware.

Technically Macs are Personal Computers, so yes, they get PC viruses (or malware). They may not be subject to *Windows* viruses (if they're not running Windows in a dual-boot or VM configuration), but Windows isn't a PC anyway, it's an OS.

Cast your mind back to the early 1980s, the era of the Commodore PET, the ZX81, the TRS 80. They were all personal computers, known as PCs. Then in 1981 IBM launched the IBM PC and swiftly manufacturers sprung up selling IBM PC compatibles. Within a year the letters PC had developed dual connotations - personal computer and PC compatible - compatible with the IBM PC. This duality of meaning has survived to today, so while you can (correctly) fulminate that the Mac is a PC, others will (correctly) fulminate that it isn't. You'll have to get used to that, I'm afraid.

From Mac's website: "A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in OS X Lion that keep you safe, without any work on your part."

1) No shit a Mac isn't susceptible to PC viruses. PC's aren't susceptible to Mac-only malware either2) In this case, my car isn't susceptible to Windows-based viruses thanks to built-in defenses of it's windshield. Viruses weren't written for my windshield, so that counts as a built-in defense, right?

You've pointed out that I need to clarify my meanings in a few places here.

Flopped is a relative term. When I say desktops flopped, I mean they were not sufficient enough to keep the company from going under.Some people love them and still do.

Mac growth I believe is primarily on device integration and the social prestige that came with owning an iphone or ipod. That stigma of other mp3 players being inferior stuck after ipods did so well. So when they came out with iphone, you didn't want to be left out. So

Yes, but the Reality Distortion Field has been decreasing in strength as of late. Apple's own moderation of Java updates allowed this one to flourish, the Apple devout can't pass the buck onto another vendor this time. It's foolish to presume that a large installed base of users unconcerned with security would go ignored forever.

Unless you happen to be one of the million or more who clicked on a bogus/rigged link on a spoofed site and got this Flashback Trojan installed.

FTFY

The majority of Macs have one of the cheap/free pieces of software that prevented this trojan from installing - Little Snitch, Xcode, VirusBarrier X6, iAntiVirus, avast!, ClamXav, HTTPScoop, Packet Peeper. I said have rather than run as it is sufficient that the path to the application existed, and the application did not need to be running.

You're right how dare they, "get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit."?

"According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com."

As PCMag's Security Watch noted yesterday, Mac users did not have to download or even interact with the malware to become infected. Websites exploited a Java flaw that let Flashback.K download itself onto Macs without warning. It then asked users to supply an administrative password, but even without that password, the malware was already installed.

So - yes, it required a trojan-esque password entry to fully activate, but it installed and was active even without it. Which means that it was probably ready and waiting for the next legitimate use of a password entry.

Your walled garden has been breached, and instead of putting your head in the sand, perhaps you'd better wake up to the fact that yes, security really is, at the end of the day, the user/owner's responsibility.

Pre OSX MacOS, while it may have gotten raves for friendliness, and was somewhat less bug riddled, was architecturally more or less a toy OS compared to almost anything contemporary. The ecosystem wasn't as large, and the distribution vectors markedly less efficient; but the Mac malware was out there.

Can you please provide any links to folks that have claimed that Macs dont' get malware?

PC's get viruses... [youtube.com], the implication that Macs don't. There are plenty more examples although I am sure Apple has never been foolish enough to state outright that Mac's don't get malware the implication is clear often enough. And do your own fucking homework.

Their claims were explicit in that they differentiated PCs from Macs ("I'm a Mac.", "And I'm a PC.") and referred to PC viruses.

But Macs are PCs according to Apple:The App Store revolutionized mobile apps,” said Steve Jobs, Apple’s CEO. “We hope to do the same for PC apps with the Mac App Store by making finding and buying PC apps easy and fun.Apple’s Mac App Store to Open on January 6 [apple.com]

Safeguard your data. By doing nothing.
With virtually no effort on your part, OS X defends against viruses and other malicious applications, or malware. For example, it thwarts hackers through a technique called “sandboxing” — restricting what actions programs can perform on your Mac, what files they can access, and what other programs they can launch. With FileVault 2, your data is safe and secure — even if it falls into the wrong hands. FileVault 2 encrypts the entire drive on your Mac, protecting your data with XTS-AESW 128 encryption. Initial encryption is fast and unobtrusive. It can also encrypt any removable drive, helping you secure Time Machine backups or other external drives with ease. Other automatic security features include Library Randomization, which prevents malicious commands from finding their targets, and Execute Disable, which protects the memory in your Mac from attacks.
Download with peace of mind.
Innocent-looking files downloaded over the Internet may contain dangerous malware in disguise. That’s why files you download using Safari, Mail, and iChat are screened to determine if they contain applications. If they do, OS X alerts you, then warns you the first time you open one.

The reason they don't know about Apples antivirus group is that it's the same one as their legal department. Operating on the basis that if people can't see or hear or know about viruses and botnets, then they don't exist.

Though people will pile on Apple (rightfully, see more below) you do need to remember that this hubris is somewhat justified. There was a time when Windows had tens of thousands of viruses to Mac OS's maybe, 8. Macs were just more secure. This was early web days, and there was some department of the government that recommended Mac OSX webservers. Partly because of design, partly because of the PowerPC chip which was hard to write exploit code for. Windows machines were defective by design. Outlook viruses w

The current version downloads and installs itself. No human interaction required besides viewing an infected webpage. Don't confuse the "viruses are impossible to get on a Mac" crowd more by trying to make them learn the subcategories of malicious software. The fact it was originally a trojan that required the admin password to install versus the drive by installer requiring none is something more for the academics quibble about, not the end users.

If this is a trojan, then exactly what piece of legitimate software is it piggybacking on in order to get installed? It sounds to me like it's exploiting a Java vulnerability using an applet that does not disguise itself as something useful, it is specifically to install the payload. That sounds like a traditional virus. Previous versions that were actual trojans were embedded in warez downloads.

It sounds to me like it's exploiting a Java vulnerability using an applet that does not disguise itself as something useful, it is specifically to install the payload. That sounds like a traditional virus.

A virus is self-propagating. AFAIK, while this does propagate over networks, it isn't self-propagating (i.e.: infected nodes don't go around infecting other nodes). Hence, not a virus.

That's not to diminish its threat; simply that correct taxonomy aids in discourse towards finding a solution, and preventing similar malware in the future.

Virus = self-propagating, but does not run on its own. Requires some legitimate program which it exploits and modifies saved data to maintain itself. For example: a virus would enter a system as an infected word document, which would add macros into your copy of word infecting all of the word documents you edit after becoming infected. In general, the virus itself is not very useful, but frequently they're used as a piggy-back which downloads a...

Trojan-horse = program which gives a malicious user control over a system remotely. This is frequently done via IRC, but newer programs have become far more sophisticated using P2P protocols of their own design or hiding it as fake HTTP requests making traffic analysis more difficult. The trojan horse itself is NOT self-propagating, but it will put a ton of hooks around the system to re-download/re-deploy itself if it gets shut off. In general its only goal is to just keep running and allowing the malicious user to abuse the machine. Now frequently the malicious user will use the trojan horse to send out fake emails or other things which leads to propagation, but the program itself doesn't necessarily do it.

Worm = program which attempts to spread itself. It gets on a host machine and does something (normally immediately, sometimes with an incubation period, frequently involving email, sometimes 0-day exploits to networked computers) to try and get to more machines. After it has attempted to spread itself around, it will frequently follow-up by downloading a trojan horse, or sometimes it will contain the trojan horse functionality itself.

Straight up worms have kind of fallen out of style these days though. They're a bit too obvious and their repeated, predictable behaviour leads to them being spotted and blocked after not very much time out in the wild. And without some sort of trojan horse functionality there's not much point. Trojan horse functionality allows a central command to update the code and makes the worm a more useful product, eventually getting it on more computers and keeping security researchers guessing longer.

Anyway, hope this actually gets modded up by someone and people use these and or tell me I'm an idiot.

"It's your fault scumbag. Keep quiet!" - Apple. Other companies have tried the same tactic, trying to silence/punish security people from publishing known holes. Like Microsoft. Sony. Nintendo. The Bluray Cartel.

Dr. Web is one of the leading security companies (at least in Russia) and they've been around since 1992. They are by no means 'nagware' or 'junk scanner' - they tools are legitimate, powerful and useful

Eh? Not to make a "no true Scotsman" plea, but the security world is not that big. If Apple hasn't heard of them before, it means that Apple has no presence in this field. Not surprising when you consider that can't seem to keep their top-secret iphone prototypes in their pants.

Next, you'll excuse Utah for not knowing that Oracle is a giant security suck-hole. And in other news, RSA didn't realize that PDFs can carry exploits. Uh...

Because there aren't any, I worked for them and customers that called in were routinely told there is nothing to worry about when it comes to malware.On their corporate side you would be amazed at who states exactly the same thing when they should know better.

Apple has had the benefit of so many years of being such a small market share that it did not make sense for people to create Trojans that targeted them. However, Microsoft has had to respond to threats over the years and had the time to develop processes to assess threats and work with security researchers. Apple has ended up behind the curve in this spectrum because of how long they had a small market share. If Apple is able to suck up their pride and work with the researchers they could end up being able to deal with such threats appropriately, but right now their pride is getting the best of them.

Bingo. Getting root is useful but not required for viruses, and Windows has had very similar setups for a long time already. It's perfectly possible to make a program that hides itself, resists deletion, spams, steals passwords, logs keys etc all without having root and there are quite a few such viruses out there. MacOS isn't any better defended than Windows against malware, in fact it's significantly worse because so many users don't even have AV software installed (my Mac does, btw).

Apple products are overpriced, insecure, not upgradable, developed by a CEO who believed integrity is optional, and makes it's outsized profits on breaking labor laws in developing countries. Why do the supposed 'creative' class continue to support this pile of dung?

As with any other claimed discovery, I'd like to see independent corroboration. I'm not saying it doesn't exist, just that I personally haven't seen it. Everything I've read credits Dr.Web as the source. Has nobody else confirmed their findings?

Sharov may describe this as "a symptom of a company that has never before had to work closely with the security industry", but the article correctly points out that it's more a symptom of having "little experience working with the community of security researchers who aim to dissect and shut down botnets." The botnet security community is different from the general security community. As far as I know, Apple has a decent working relationship with the latter. It's no real surprise they have limited experience working with the anti-botnet community, since until now they haven't really had botnet problems.

The article also notes that Dr. Web is relatively unknown and that in the opinion of Kaspersky (which is at least more well-known), Apple is taking the usual appropriate steps.

As far as them not getting a contact back, that disagrees with my experience in reporting a security vulnerability to Apple. You send a message to their easily-found, catch-all "security" address. In relatively short order, a security engineer gets in touch with you, and you communicate with that person from that point on. It seemed to work just fine, unless, I suppose, you're egotistical enough to think that you should be able to pick up the phone and talk to someone at Apple immediately -- which is a common-enough problem in security.

Trojan virus vs. trojan malware. Yes, it's technically not a virus, but it is a piece of malware that the Mac-heads have been convinced they are immune to. And it is, no doubt, the first of many; in time, if someone actually cares, perhaps a real virus (CIH style) will be created for the Mac. You know, something with a timebomb, that goes undetected, then fries the disk firmware?

You do realize that flashback evolved to where it needed neither, right? Unles you have Windows-style habits of relentlessly patching every thrid-party toolkit on your box, flashback is perfectly capable of installing itself without your assistance (beyond browsing the web in a normal way).

'We don't know the antivirus group inside Apple.' means they haven't been to able to talk to them and get to know them. I saw the website, and I feel safe saying I don't know the Apple AV group. I'm sure Sharov found the website. As they said in the article, they just get no response from Apple.

Seriously? It's that difficult to understand the difference between a generic address that goes $DIETY knows where (and mail rent to it is probably vetted by an intern) and the actual address of the responsible individual(s)/team(s)?

Do you know the difference between communication channels for customers and those for partners and specialists?

I work in an IT support position, and sure, if I need to contact a special group (say the Exchange administrators) I could use the phone numbers used by the customers... and would waste valuable time by making the call center agent on the other end understand that I need to speak with the admins directly.To avoid this, we have phone numbers and email addresses of those other divisions. You know: A direct line.

The security companies have direct lines to the security teams from Microsoft, and certainly Oracle, Red Had etc.This is to everybody's advantage, as it reduces friction and increases response times.Only Apple doesn't understand that they are part of an ecosystem where everybody relies to some extend on everybody else...

As someone who has found and reported a (now) patched security vulnerability [nist.gov] to that email address, I can say that I agree with Boris Sharov's complaint. You do get an automated response with a case #, that includes the text

We do not automatically provide status updates on issues as we work on them, but please feel free to request one if needed by replying to this message.

However, I received no replies to when I did request status updates (and supplied additional information about the affected systems with explicit instructions about what needed to be done to fix existing systems). Even when I contacted other sources (Secunia, who confirmed the problem, and US-CERT), I received nothing from Apple. Nor was the problem addressed in two releases of QuickTime in the year following my report.

How I finally got a reply from Apple was sending an email to sjobs@apple.com on Sept 4, 2010 with a copy of the now year old security report, and my statement that I was taking it to the full-disclosure list if I didn't hear back from Apple by Sept 15th. Fewer than 6 hours later (on a Saturday), I had a status update from Apple. Here's the meat of that reply:

Just wanted to let you know that a fix for this issue has been identified, and we are targeting an upcoming release of QuickTime to address it.

We provide status updates upon request.

Subsequent emails always got a reply, but before I sent my email to sjobs, it was like talking to a wall. Also, despite assurances that they understood the extent of the problem and my explicit instructions about needed remediation for affected systems, when they finally released the fix 3 months later, it only corrected the problem and did not provide remediation for the permissions on already affected systems, nor did it even mention that there were permissions to be fixed.

When it became clear that no remediation fix, nor an acknowledgement of the problem was coming from Apple, and ample time had passed for users to have installed the updated version of QT, I submitted my own fix to the Full Disclosure [seclists.org] mailing list.

In total, it was 15 months for Apple to release a fix, a fix that in all likelihood involved altering or removing two lines of code that were granting excessive privileges to specific directories. Even then, they did not correct the permissions on machines that were already affected.

So, in my opinion, Apple has a long way to go in developing and maintaining communications with those who report security vulnerabilities. And in acting upon those reports in a timely and responsible way.

Soon my armies shall pour forth from the shattered sandbox, ravaging this OS and all hope of resistance. My minions will find the vulnerability, wherever you choose to hide it. Then, at long last, BSD shall reign as the prime OS.

Yes, they don't have much communication and cooperation with the 'security industry' since it is mostly full of leeches and parasites who make money spreading fear. Now, this doesn't excuse them from failing to acknowledge issues, since that's just as bad, but the less this 'industry' leeches itself to OS X the better.

Yeah, just let the trojan spread unacknowledged. Ignore it and it will eventually go away, right?

"Leeches" or not, someone needs to work on stopping malware. MS didn't step up the plate in the past, and I have little reason to think Apple will now (after all, their website still claims "Macs don't get viruses".)

A leech that swims by and says "hey, did you know you are bleeding?" isn't much of a leech. Other than a bit more fame, what does dr web gain from this, it's not like they are extorting apple.

I'm curious were you picked up the idea that security researchers and fake-av sellers were somehow related?

Do you also assume that anyone yelling "fire" in a crowded building is just trying to make everyone scared? if so, I hope you are in a building fire some day so you can ignore the warning, safe in your fire-proof pants

Apple, its employees and its users are legendarily arrogant. I find it much more believable that a security researcher got rebuffed than that there is global conspiracy to make Apple look bad and drive American customers to purchase security products from a Russian company...An American company would likely have gotten the same response from Apple anyway.

The Apple slogan "Think Different" could just as easily be "It's Not Me, It's You". Oh they'll own up to things eventually, but not before playing some